Follow SolarWinds:

Top 10 Di agnost i c s Ti ps
f or Cl i ent Tr oubl eshoot i ng
w i t h SCCM

Matthew Hudson, SCCM MVP

Follow SolarWinds:
Table of Contents

Introduction............................................................................................................................................6
How to Telnet to the Ports.....................................................................................................................7
Using Policy Spy and Client Spy ............................................................................................ 8
WMI Errors Resolved..........................................................10
Key Error Codes Defined........................................................................................12
Using Logs for Troubleshooting How and Where to Find Relevant Data......................................13
Top 5 Patch Downloading Issues Resolved.........................................................................................15
WMI from Primary to Machine to Ensure Connection..........................................................................19
Certificate Errors Resolved ..............................................................................................................21
Signature Verification Failure...............................................................................................................23





SolarWinds Patch Manager gives you the ability to patch 3
rd
party applications using Microsoft WSUS
and SCCMautomatically receive ready-to-deploy patches.
Learn More Try It FREE

Follow SolarWinds:
6
Introducti on

Ever hear My client wont register!? If so, this whitepaper will help you quickly fix SCCM issues
and get those users off your back. This paper reviews the TOP 10 SCCM troubleshooting tips:
1. How to telnet to the ports
2. Using Policy Spy and Client Spy
3. WMI errors resolved
4. Key error codes defined
5. Using logs for troubleshooting, how and where to find relevant data
6. Top 5 patch downloading issues resolved
7. WMI from primary to machine to ensure connection
8. Certificate errors resolved
9. Signature verification failure
10. How to use SCCM "right click" tools

About the Author: Matthew Hudson
Matthew has worked in the IT industry for over 20 years with greater than 13 years in higher
education and recent experience in the private sector. As an SCCM MVP, Matthew has
presented, and contributed on the topic Configuration Manager. You can read more of
Matthews work on the following sites:
SCCM Blog: http://sms-hints-tricks.blogspot.com/
SCCM Tools Website: http://www.sccm-tools.com


Follow SolarWinds:
7
#1 How to Tel net to the ports?
Most of us oftentimes get into issues when the client just wont register, and this is a fairly
common problem. When this is the case, the first thing you need to do is test the ports using a
Telnet client. Because management and software update points are all utilizing a port thats
watching or looking, including network load balancers, you can use Microsoft Telnet tool to
connect to that port. You can also use a third-party Telnet tool to connect to the port.
Test ports using Telnet client:
Management points
WSUS/Software update points
Network Load Balancer
Distribution Points
The illustration below shows how a port is tested using Microsoft Telnet session.
Command: telnet SCCM-MP 443
where
SCCM-MP is the Management Point
443 is the port number
In this particular case, the Telnet fails to connect to the port, and throws an error message.
From here you know that either theres a problem on the client, maybe its a firewall, or a
problem between the firewall and the MP, or possibly a problem on the server side. Below is
illustrated using the Microsoft Telnet client from a Windows 7 workstation.

In the event that the connection is successful the box will become blank.
To exit you will use Ctrl ] to view the telnet prompts

Type quit [Enter] and you will be returned to the standard command prompt.
Live Webcast:
SCCM 2012 Insiders
Look Hierarchy
Simplification

June 20th, 2012,
1pm CST
REGI STER NOW

Follow SolarWinds:
8
#2 Usi ng Pol icy Spy and Cl i ent Spy
Policy Spy is one of Microsofts free applications within the Configuration Manager console
that allows you to get visibility into whats inside WMI. As WMI is highly critical to SCCM,
everything is pretty much stored there. If something is wrong with WMI such as inventory not
sending correctly, or advertisements are running over and over again, Policy Spy allows you to
go in and have a look at things within WMI, allowing you to easily troubleshoot by knowing
whats what.


Client Spy is also a free Microsoft application that is available within the Configuration
Manager console. This application helps you look at problems in your client. Here you can look
at software distribution that is pending; packages that are there or no longer available; and you
can also view your software updates. When a software update is downloaded, you will see
those updates directly in the console.

Follow SolarWinds:
9


Both tools along with several other tools is available from the
System Center Configuration Manager Toolkit V2:
http://www.microsoft.com/en-us/download/details.aspx?id=9257

Follow SolarWinds:
10
#3 WMI Errors Resol ved
Most WMI errors can be resolved by repairing WMI. In Windows XP, you can run the
command line which will quickly visualize WMI. In XP there is only one copy of the WMI
repository, whereas in Windows 7, Vista or 2008, there is dual copy of the repository. As a
result, a repair is not normally needed for Windows 7. If anything goes wrong, you can look
back and forth, compare, and correct.
I the case there is a major problem and a repair is required, you may need to reinstall DLLs
and re-register them, and lastly, remove the repository. To do this, you must go into the
Services windows within the Configuration Manager Console, and stop the Windows Manual
Instrumentation Service.

This will prompt you to choose to stop your firewall, SCCM and the SMS Agent Host which can
be stopped before or after. You can simply run the repair from the command prompt for your
XP, you would enter

Follow SolarWinds:
11

Have this run, and within 3 to 4 minutes, your WMI should start back up, and, in case, if it
doesnt start automatically you need to restart the machine and try it again.
In the case of Windows XP you must stop WMI before removing the repository. For Windows
7 to remove the repository you must use the winmgmt /resetrepository.
Note: This is a destructive action to WMI. The WMI repository will attempt to rebuild itself.
Some applications might not recompile their MOF. If this occurs it could cause problems with
the application. Always validate on test machine before performing it on a production machine.



Follow SolarWinds:
12
#4 Key Error Codes Defi ned
If you have an error message, and you are trying to determine what it means, dont go to
Google, Microsoft Forums, MyITForum or other forums, because the error will mean different
things in different applications Outlook, Exchange, etc. Instead, visit the Custom Error
Website for Microsoft and look down the list.

Microsoft Custom Error Website
You can also use Trace32 which includes an error lookup. Simply type in the error code and
get the error definition.

Trace 32 is located in the Configuration Manager toolkit along with Policy Spy and Client Spy.



Follow SolarWinds:
13
#5 Usi ng Logs for Troubl eshooti ng How and
where to fi nd rel evant data
Whenever we opt to troubleshoot a certain error or condition, we always want to look for data
on what happened, where and how. Standard Windows logs can be accessed to obtain this
information; they include:
LocationServices.log
This shows information on:
Download Location: all the distributed sites you can talk to
AD Site: Determine if your machine is on the correct AD site
Certificate Information: if in native mode, you can download site signed certifications from the
management points or from the site server.

ClientIDManagerStartup.log
Use this log when faced with the situation where
o the system is installed and its not registering
o the client is in the console but you cant manage it
In this registration log, youll find errors like Unable to Contact Management Points that could
be caused by a certificate error or possibly a port block or you could problems in the registry,
or you might even see WMI errors for example, unable to open a certain name space.
smscliui.log
SMS Client User Interface

Actions performed in the Run Advertised Programs will show here. If your Run Advertised
Programs is blank open this log to determine if information is received. It will also show you if
manually policy refreshed and other actions are kicked off.
Software update logs
o ScanAgent.log: Pertains to all scanning information, and information on missing
patches, and WSUS
o UpdatesDeploymenet.log: Pertains to download information of updates whether
they are downloading correctly, and from where

Follow SolarWinds:
14
o UpdatesHandler.log and UpdatesStore.log: these logs show compliance
information
o WUAHandler.log: As Windows Updates Agent is being used for software
updates, information on WUD can be seen here
o WindowsUpdate.log: If the Windows Update Agent cant scan correctly, and if it
has problem detecting something, it will sometimes refer you to WindowsUpdate
log. Even though you are using SCCM to scan and patch, you need to go ahead
and check this log.

Follow SolarWinds:
15
#6 Top 5 Patch Downl oading Issues
Resol ved
i. Bits Downloading Issues
Did you ever get a call from the network team saying, Hey, we have a machine or group of
machines pulling down a lot of bandwidth? What do you do?

First, look at the ClientTransferManager log. Here you can find what is downloading and from
which location. Here you will see a log that says the file is downloading from a file location.
This is an indication that this server is not pulling from the correct location. Pulling over
445/SMB via a File location could cause network congestion.
To troubleshoot, go into the command prompt and run Bits Admin, and this will return an ID
that would match the ID that you find up in your log. This will let you know if theres a J ob
error, provide the job number, and will provide how much is being transferred. With this
information, determine if there is a problem and possibly fix the server or turn it over to the
infrastructure group for them to fix. This allows you at least to begin the troubleshooting of
something thats not downloading correctly.








Follow SolarWinds:
16

ii. Windows Update Agent Issues
Windows Update Agents will need to be updated manually unless you have an automated tool
to do this. To determine what WUA is on your machine, there are two reports that you can
look at:
o Scan 1 Last scan states by collection
o Scan 2 Last scan states by site
Though these reports may give you the WUA version, the version will differ depending on
whether you are running Win 7 or Win 7 Service Pack 1. As a result, you need to keep track
of what OS version you are running. If the WUA version is blank on the report, theres a
problem on the machine such as the Windows Agent is not running. The latest version for a
given OS can be found here: http://support.microsoft.com/kb/949104. A SQL query to
determine the WUA version can be found here from Microsoft: http://technet.microsoft.com/en-
us/library/bb680319.aspx
To troubleshoot:
o Windows XP: To fix the problem with Windows XP, you can go to the Windows
updates webpage and find out theres a new version of Windows update. When
you are starting the scanning process to download the update, if theres a
problem with scanning, then, it may mean theres possibly a problem with
Windows update service, and thats the same process SCCM is going to use.
o Windows 7: With Windows 7, the Troubleshooter will pop up, if there is a
problem and it will go through the process of reloading the DLLs and
troubleshooting the issue. Windows 7 can help along with this.
The recommended approach is to push out a Windows Update agent as a package.
iii. Windows Update Handler Issues
If this is red, it confirms that you have a scanning problem. From here, you need to look at the
Scan Agent. Here we find an error: CScanAgent::ScanByUpdates - Update Source Policies
not found no scan will be performed, returning E_FAIL_POLICY_NOT_FOUND.

Follow SolarWinds:
17
A likely problem is the Windows Update Agent Register did not register. The solution is to re-
register the Windows Update Agent.


When theres a problem with a machine not scanning and its throwing all kinds of errors, and
the Windows Update Handler looks all fine except there is a little note at the bottom that says
the search job failed to end; i.e. the search job is not complete. To determine the problem,
look at the UpdatesHandler.log on the client.


iv. Client Refuses to Download Patches
Lets say the software is not downloading at all, or maybe its downloading partially, but
everything, including scanning, appears to be working fine.

Follow SolarWinds:
18
Solution: Stop the Windows Update Agent, delete the softwaredownloadfolder (C:\windows),
and restart the Windows Update Agent. This is just one solution. It doesnt fix everything and
you might need to make sure that any trouble-shooting you do on the Client does not break
anything else.

v. WSUS Policy Missing
The symptom of this problem is that the machine that successfully scans but doesnt download
or install. Other clients have the same problem.
Look up in the WindowsUpdateAgentHandler log. You will get you the information:
Received SuceededWithErrors code from WUS during search. Check windowsUpdate.log in
Windows directory.
A search in the WindowsUpdate log will say the license terms are not available, and it failed to
download the electronic license agreement.


Solution: Go into the WSUS folder, and in the command line, you can run WSUS Utility Set
and it will re-download the client information for your WSUS server.
Confirm that the folder is there, and copy that folder into WSUS. When you click scan, all the
machines will immediately start downloading the file. You will not need to restart any service


Follow SolarWinds:
19
#7 WMI From Primary Machine to Ensure
Connection

There is an automated approach you can use for ensuring connection to your machines. WMI
monitoring tools allow administrators to identify Windows operating system issues, application
issues and other potential issues. There are a lot of free monitoring tools on the market to
help with this. SolarWinds provides a free WMI Monitor tool. It provides customizable WMI
monitoring which you can visualize in a dashboard.



#8 Certificate Errors Resolved

Listed below are some common reasons why certificate errors occur in Native Mode. Keeping
a check on these, to prevent errors from happening in the first place.
Site Server Signing Certificate renewed late
IIS certificate renewed incorrectly
Client moved from one hierarchy to another
When registering with the site, another site was found and pulled that sites Trusted Root
Certificate



Follow SolarWinds:
20
If you have a Machine that cant receive Content or wont inventory and your log shows,
Received policy could not be verified or Advanced Client rejected the site signed certificate
due to trust-related failure. This means something is wrong with your site signed certificate.
The view below is what is seen from the Status Messages for a specific system.

To fix this problem you can:
Stop the SCCM service. Clear the AllowedRootCAHashCode value, and restart the SCCM
service. This will repopulate the key with the different value. You can determine the correct
value is by finding a working machine inside your hierarchy and locating the number. If this
does not work, then stop the service, kill the hash code value and restart the service. This
might not work because the client cannot register with the MP. In this case, you may need to
uninstall and restart it. Using the ResetKeyInformation=True will force the trusted root key to
reset.



Alternatively, you can run a repair on the CCM setup. Go to the command bar of the file and
then show reset key information to true. What this does is it pulls out the trusted root key. By
doing that, you repair the Client, and put the trusted root key back in.





Follow SolarWinds:
21
#9 Signature Verification Failure

The symptom of this problem is when you run advertise programs, you only get a partially
populated list. For example, you see 15 items when you should see 30. If you look in the
PolicyAgent log, you will see the Signature Verification failed status.

.

To address this, you can use Policy Spy to get the Advertisement ID and the corresponding
Package ID.

Follow SolarWinds:
22

From there you can open up the Console and locate a package with respect to the Package ID.
Now here lies the problem. This package can only run on specific platforms per the policy.
Lets say all Win 7 machines are clicked, but then down below you have the Win 7 clicked, but
not the Win 7 SP1. So, now you have a conflict. Your machine doesnt really understand
which policy to go with. You can go and locate in the different selections and fix that. So if it
says All Win XP machines, you need to go and remove anything that says XP Service Pack
One and not Service Pack Three. This will solve the problem and the machine will have just
one policy to apply.



Follow SolarWinds:
23
#10 How to Use SCCM "Right Click" Tools

Right Click Tools are some really helpful and handy tools that considerably speed up the
troubleshooting process, for example, status message, collection membership, machine Client
refresh, and so on. Check out this website for a list of tools I created.
Some key actions that we can perform with right click tools are:
Deploy packages to a set of DPs
PSEXEC commands on remote systems
Reports
Import Computers/Users
Add computers to collection or collections to computer
Wake up machine (WOL)
Status messages
Collection listing
Setup/Decommission a DP
Location collections/Packages/Advertisements
Machine policy refresh



Follow SolarWinds:
24
About SolarWinds Patch Manager
SolarWinds Patch Manager makes the time-intensive, error-prone chore of patching
Microsoft Windows servers and workstations simpler, faster, and more reliable. Patch
Manager allows sysadmins to automate patching applications across tens of thousands of
servers and workstations and receive automatic notifications of new third-party patches from
leading vendors like Adobe, Apple, Google, Mozilla, and Sun Microsystems.
Feature Highlights:
Manages updates dynamically, pushing the right patches to the right machines at the right
time
Alerts when patches are available from Adobe, Apple, Google, Mozilla, Oracle; &
other vendors
Deploys patches across your Windowsservers & 3rd-party applications in hours not
weeks
Uses PackageBoot technology to execute custom actions before & after patches are
deployed
Performs enterprise-wide discovery & instantly identifies rogue, unauthorized, &
unpatched computers

About SolarWinds
SolarWinds (NYSE: SWI) provides powerful and affordable IT management software to
customers worldwide - from Fortune 500 enterprises to small businesses. The company works
to put its users first and remove the obstacles that have become status quo in traditional
enterprise software. SolarWinds products are downloadable, easy to use and maintain, and
provide the power, scale, and flexibility needed to address users management priorities.
SolarWinds online user community, http://thwack.com, is a gathering-place where tens of
thousands of IT pros solve problems, share technology, and participate in product
development for all of the companys products. Learn more today at http://solarwinds.com.

For additional information, please contact SolarWinds at 866.530.8100 or e-mail
sales@solarwinds.com.

To locate an international reseller near you, visit
http://www.solarwinds.com/partners/reseller_locator.aspx